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Examiner: Phenuel S. Salomon 

Title: Graphical User Interface for Capture System 

MAIL STOP APPEAL BRIEF - PATENTS 

Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
Dear Sir: 



APPEAL BRIEF 



Appellant appeals to the Board of Patent Appeals and Interferences from the 
decision of the Examiner sent on January 4, 2011, finally rejecting Claims 1-5, 25, and 
27-33, which are pending in this case. Appellant previously filed a timely Notice of 
Appeal on December 1, 2010. 
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I. REAL PARTY IN INTEREST 

This Application is currently owned by the Appellant, McAfee, Inc., 3965 
Freedom Circle, Santa Clara, California, 95054, by virtue of an assignment recorded 
on January 26, 2009 at Reel 022214, Frame 0151. 

II. RELATED APPEALS AND INTERFERENCES 

There are no known appeals or interferences, which will directly affect or be 
directly affected by or have a bearing on the Board's decision regarding this appeal. 

III. STATUS OF CLAIMS 

Claims 1-5, 25, and 27-33 are pending in this Application. Claims 1-5, 25, and 
27-33 stand rejected pursuant to the Advisory Action dated January 4, 2011, and are 
presented for appeal. Claims 6-21, 26, and 34 were previously cancelled. Claims 22- 
24 were previously withdrawn. All pending claims are shown in Appendix VIII. 

IV. STATUS OF AMENDMENTS 

All amendments were previously entered and no new amendments were 
made after the Advisory Action mailed January 4, 2011. 

V. SUMMARY OF CLAIMED SUBJECT MATTER 

Set out below are the Independent Claims with the material facts relevant to 
the rejections on appeal supported by reference to a specific page number, 
paragraph number, and drawing numerals. 
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1. A method comprising: 

presenting a graphical user interface (GUI) [see, for example, FIGURES 8-17: 
elements #706, #708, #710, etc. and the Specification at paragraphs 50-53] for a 
capture system [see, for example, FIGURES 2-3: element #22, and the Specification 
at paragraphs 28, 31-32], wherein the GUI comprises one or more views including: 

a search editor view to enable parameters of a search of tags of objects 
captured by the capture system to be defined [see, for example, FIGURE 11: #722 
and the Specification at paragraph 56], the capture system configured to intercept 
data from data streams, reconstruct the data, and store network transmitted objects 
according to a capture rule that defines which objects are to be captured by the 
capture system [see, for example, the Specification at paragraphs 32-35, 41-42], 
wherein each tag is associated with at least one captured object and includes 
relevant information that describes the at least one object [see, for example, the 
Specification at paragraph 43], and wherein the capture rule is part of a default rule 
set for the capture system configured to monitor network traffic and capture the at 
least one object [see, for example, the Specification at paragraph 41], and wherein 
the capture system is configured to store a document captured by the capture 
system according to the capture rule [see, for example, the Specification at 
paragraph 42], which identifies a first internet protocol (IP) address from which the 
document was sent and a second IP address associated with an intended destination 
of the document [see, for example, Tables 1-2 of the Specification at paragraphs 
43, 46], and wherein after an initial search is generated it is scheduled to occur on a 
periodic basis such that a report is automatically sent to a network address of an 
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author of the initial search [see, for example, FIGURE 15: element #724, and the 
Specification at paragraphs 55, 65-67]; and 

a capture rule view [see, for example, FIGURE 17: element #732] to 
enable parameters of the capture rule to be defined [see, for example, the 
Specification at paragraph 69-70]. 
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27. A computer readable medium having stored thereon data representing 
instructions that, when executed by a processor, cause the processor [see, for 
example, the Specification at paragraphs 71-72] to perform operations comprising: 

presenting a graphical user interface (GUI) [see, for example, FIGURES 8-17: 
elements #706, #708, #710, etc. and the Specification at paragraphs 50-53] for a 
capture system [see, for example, FIGURES 2-3: element #22, and the Specification 
at paragraphs 28, 31-32], wherein the GUI comprises one or more views including: 

a search editor view to enable parameters of a search of tags of objects 
captured by the capture system to be defined [see, for example, FIGURE 11: #722 
and the Specification at paragraph 56], the capture system configured to intercept 
data from data streams, reconstruct network transmitted objects, and store network 
transmitted objects according to a capture rule that defines which objects are to be 
captured by the capture system [see, for example, the Specification at paragraphs 
32-35, 41-42], wherein each tag is associated with at least one captured object and 
includes relevant information that describes the at least one object [see, for 
example, the Specification at paragraph 43], and wherein the capture rule is part of 
a default rule set for the capture system configured to monitor network traffic and 
capture the at least one object [see, for example, the Specification at paragraph 
41], and wherein the capture system is configured to store a document captured by 
the capture system according to the capture rule [see, for example, the 
Specification at paragraph 42], which identifies a first internet protocol (IP) address 
from which the document was sent and a second IP address associated with an 
intended destination of the document [see, for example, Tables 1-2 of the 
Specification at paragraphs 43, 46], and wherein after an initial search is generated 
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it is scheduled to occur on a periodic basis such that a report is automatically sent to 
a network address of an author of the initial search [see, for example, FIGURE 15: 
element #724, and the Specification at paragraphs 55, 65-67]; and 

a capture rule view [see, for example, FIGURE 17: element #732] to 
enable parameters of the capture rule to be defined [see, for example, the 
Specification at paragraph 69-70]. 

VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

A. Section 103 Rejection 

The Examiner rejects Claims 1-3, 25 and 27-33 under 35 U.S.C. §103(a) as 
being unpatentable over U.S. Publication No. 2005/0021715 issued to Dugatkin 
(hereinafter "Dugatkin") in view of U.S. Patent No. 6,978,297 issued to Piersol 
(hereinafter "Piersol") and further in view of U.S. Patent No. 6,161,102 issued to 
Yanagihara (hereinafter "Yanagihara"). The Examiner also rejects Claims 4 and 30 
under 35 U.S.C. §103(a) as being unpatentable over Dugatkin in view of Piersol in 
view of Yanagihara and in further view of U.S. Patent No. 7,185,192 issued to Khan 
(hereinafter "Khan"). The Examiner further rejects Claim 5 and 31 under 35 U.S.C. 
§103(a) as being unpatentable over Dugatkin, in view of Piersol, in view of 
Yanagihara and in further view of Microsoft Outlook 2000 © 1995-2000 (hereinafter 
"Outlook"). 
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VII. ARGUMENT 

A. Section 103 Rejection 

The Examiner rejects Claims 1-3, 25 and 27-33 under 35 U.S.C. §103(a) as 
being unpatentable over U.S. Publication No. 2005/0021715 issued to Dugatkin 
(hereinafter "Dugatkin") in view of U.S. Patent No. 6,978,297 issued to Piersol 
(hereinafter "Piersol") and further in view of U.S. Patent No. 6,161,102 issued to 
Yanagihara (hereinafter "Yanagihara"). The Examiner also rejects Claims 4 and 30 
under 35 U.S.C. §103(a) as being unpatentable over Dugatkin in view of Piersol in 
view of Yanagihara and in further view of U.S. Patent No. 7,185,192 issued to Khan 
(hereinafter "Khan"). The Examiner further rejects Claim 5 and 31 under 35 U.S.C. 
§103(a) as being unpatentable over Dugatkin, in view of Piersol, in view of 
Yanagihara and in further view of Microsoft Outlook 2000 © 1995-2000 (hereinafter 
"Outlook"). 

As a preliminary matter, Applicant is prepared to identify ten (or more) 
substantive problems associated with the Examiner's current 3-reference and 4- 
reference §103 rejections. In an effort to conserve the Board's valuable resources, 
Applicant will only highlight a handful of significant problems with the Examiner's 
current analysis. 

Independent Claim 1 recites "...a search editor view to enable parameters of a 
search of tags of objects captured by the capture system to be defined, the capture 
system configured to intercept data from data streams, reconstruct the data, and 
store network transmitted objects according to a capture rule that defines which 
objects are to be captured by the capture system, wherein each tag is associated 
with at least one captured object and includes relevant information that describes 
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the at least one object, and wherein the capture rule is part of a default rule set for 
the capture system configured to monitor network traffic and capture the at least 
one object, and wherein the capture system is configured to store a document 
captured by the capture system according to the capture rule, which identifies a first 
internet protocol (IP) address from which the document was sent and a second IP 
address associated with an intended destination of the document, and wherein after 
an initial search is generated it is scheduled to occur on a periodic basis such that a 
report is automatically sent to a network address of an author of the initial 
search...." 

First, nothing in Dugatkin discusses any type of capture rule, which outlines 
source and destination address information . Applicant is at a loss to even respond to 
the Examiner's citation to Fig. 3 of this Dugatkin reference. Nowhere in that Fig. 3 
(nor in the associated descriptions of this illustration) is there any disclosure 
associated with IP addresses: much less two different IP addresses associated with 
the origination and the destination associated with a document sought to be 
transmitted over the network . In the most straightforward sense, the Dugatkin 
reference does not have the requisite intelligence to track information being sent 
by/to specific IP addresses. 

In supporting the §103 rejection, the Examiner cites the following passage of 
Dugatkin: 
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therefore are part of the capture system], which identifies an internet protocol (IP) address from which the 
document was sent and a second IP address associated with an intended destination of the document (fig. 
3 is a block diagram of successive capture groups showing how the depth and granularity oj network 
traffic data captured, collected and analyzed by the collectors 210 and the filters 212 may be increased in 
successive capture groups by the feedback controller 222. With successive refinement, a first capture 
group 320 may include all of the various types of transport protocols, also re/erred to as layer 3 data 
units, of all IP data units 310) (para. [0048]) [referring to all IP data units implies that first, second and 
any subsequent IP addresses are captured and identified]. 

[See the Final Office Action mailed October 1, 2010: page 3.] 
In essence, the Dugatkin reference is alluding to certain types of data being 
collected at various levels of the OSI model. Indeed, at the very passage being cited 
by the Examiner, the Dugatkin reference is discussing the transport protocols being 
used for filtering. Mistakenly, the Examiner uses the term "IP data units" to 
somehow arrive at a capture rule that identifies a first IP address from which the 
document was sent and a second IP address associated with an intended destination 
of the document . Taking such sweeping liberties is simply improper in the context of 
offering sustainable §103 rejections. Moreover, the term 'IP data units' does not 
afford the Examiner a bridge to the limitation "...a capture rule that identifies a first 
IP address from which the document was sent and a second IP address associated 
with an intended destination of the document" as is recited in Independent Claim 1. 

Moreover, this IP address information is not only associated with a capture 
rule, it is explicitly associated with document propagation: something not accounted 
for in the Dugatkin reference . As a separate matter of patentability, this same 
capture rule (noticeably absent from Dugatkin) includes information associated with 



ATTORNEY DOCKET NO. 
06897. P006 
Confirmation No. 8851 



12 



PATENT APPLICATION 
10/816,422 



whether the corresponding document should be stored . Stated differently, the 
same capture rule that is identifying which document is to be captured is also 
dictating whether that same document should be stored or discarded . None of this 
is provided in the Examiner's references. 

Another distinct problem with the Examiner's proffered §103 rejections is that 
no reference discusses any type of search scheduling to occur after an initial search is 
generated, or how such searching would continue on a periodic basis . As an aside, 
no reference discusses how a report would be automatically sent to a network 
address of an author of the initial search. 

It should also be noted that the entire tag feature of Independent Claim 1 is 
not accounted for in the Examiner's erroneous citation to the Piersol reference. 
More specifically, in the Final Office Action, the Examiner postulated: 

However Piersol discloses tags of objects captured by the capture system to be defined (the 
metadata file contains special information about the document from the capturing device) (col. 8, lines 
50-56), wherein each tag is associated with at least one captured object and includes relevant information 
that describes the at least one object (a unique identifier, such as a serial number, may be assigned to 
each document and stored in the document's metadata file) (col. 9, lines 65-67 and col. 10, lines 1-5) 
[These documents constitute data being intercepted from the streams of network data and these data as 
objects will be reconstructed when reached their destination], Piersol teaching of tag modify the capture 
system of Dugatkin. Therefore, it would have been obvious to one having ordinary skill in the art at the 

[See the Final Office Action mailed October 1, 2010: page 4.] 
To pull apart this flawed analysis, the first point to understand is that 
according to Independent Claim 1, the tag can identify objects, where the objects 
can be part of the document. More specifically, Independent Claim 1 recites "... a 
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search editor view to enable parameters of a search of tags of objects captured by 
the capture system to be defined, the capture system configured to intercept data 
from data streams, reconstruct the data, and store network transmitted objects 
according to a capture rule that defines which objects are to be captured by the 
capture system... each tag is associated with at least one captured object and 
includes relevant information that describes the at least one object...." 

In contrast, the Examiner is citing a serial number for a document being 
stored. If by some strained logic Applicant equated a serial number to a tag, then 
where is the Examiner's support for any type of object, as is being recited by 
Independent Claim 1? If, on the other hand, the Examiner is equating the object to 
the serial number, then where is there Examiner support for the tags? Clearly, 
something is missing in this analysis. 

Hence, there are three elements being recited in Independent Claim 1: tags, 
objects, and a document. In a best-case scenario, the Examiner has only found two 
of these elements. Unfortunately, the relationship between these two elements is 
not the same as what is found in Independent Claim 1. Even more problematic is the 
Examiner's assertion that a 'serial number' would be the equivalent of an object. 
Reading Independent Claim 1 closely undermines the Examiner's assumptions 
because network transmitted objects are stored according to a capture rule that 
defines which objects are to be captured in the first place. In direct contradiction to 
this, the serial numbers are not transmitted over the network, nor are they stored 
according to a capture rule that defines which serial numbers would be captured on 
the front end of a capture system. 
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Indeed, the Piersol reference teaches away from this feature of Independent 
Claim 1. The Piersol architecture labels documents with a serial number, whereas 
Independent Claim 1 is outlining a capture system in which network transmitted 
objects are being captured based on a capture rule. There are four or five 
additional reasons why the current claim set is allowable; however, rather than 
further burden the Board, Applicant will truncate this analysis at this juncture. 

All of the aforementioned limitations are provided for in Independent Claim 1, 
but no reference of record includes such elements. For at least these reasons, 
Independent Claim 1 is allowable over any cited reference, or combination of 
references. Independent Claim 27 recites limitations similar, but not identical, to 
those recited in Independent Claim 1. Therefore, Independent Claim 27 is also 
allowable, for example, for the same reasons as identified above. Additionally, the 
corresponding dependent claims from these Independent Claims are also patentably 
distinct for analogous reasons. Notice to this effect is respectfully requested in the 
form of a full allowance of these claims. 

For at least these reasons, all of the pending claims have been shown to be 
allowable as they are patentable over the references of record. Notice to this effect 
is respectfully requested in the form of a full allowance of these claims. In view of 
the above, and for other reasons clearly apparent, Appellant respectfully submits 
that the Application is in condition for allowance. 
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The appropriate large entity Appeal Brief fee for $540.00 is being paid 

concurrently herewith via the Electronic Filing System (EFS) by way of Deposit 

Account No. 50-4889 authorization. Therefore, Appellant believes that no other fee 

is due. If this is incorrect, please apply any other charges or credits to deposit 

account 50-4889 and reference Attorney Docket No. 06897. P006. 

Respectfully submitted, 

PATENT CAPITAL GROUP 
Attorneys for Appellant 

/Thomas J. Frame/ 

Thomas J. Frame 
Reg. No. 47,232 

Date: January 30, 2011 



Customer No. 97298 
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VIII. CLAIMS APPENDIX 

1. (Rejected) A method comprising: 

presenting a graphical user interface (GUI) for a capture system, wherein the 
GUI comprises one or more views including: 

a search editor view to enable parameters of a search of tags of objects 
captured by the capture system to be defined, the capture system configured 
to intercept data from data streams, reconstruct the data, and store network 
transmitted objects according to a capture rule that defines which objects are 
to be captured by the capture system, wherein each tag is associated with at 
least one captured object and includes relevant information that describes the 
at least one object, and wherein the capture rule is part of a default rule set 
for the capture system configured to monitor network traffic and capture 
the at least one object, and wherein the capture system is configured to 
store a document captured by the capture system according to the capture 
rule, which identifies a first internet protocol (IP) address from which the 
document was sent and a second IP address associated with an intended 
destination of the document, and wherein after an initial search is generated it 
is scheduled to occur on a periodic basis such that a report is automatically 
sent to a network address of an author of the initial search; and 

a capture rule view to enable parameters of the capture rule to be 
defined. 

2. (Rejected) The method of claim 1, wherein the parameters definable through 
the search editor view include both indexed and non-indexed search criteria. 
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3. (Rejected) The method of claim 1, wherein the definable search editor view 
parameters include one or more of a plurality of search criteria, the search criteria 
comprising: 

a content type, 
a protocol, 
a keywords, and 
a word pattern. 

4. (Rejected) The method of claim 3, wherein the search criteria further include 
a source address, a destination address, a size range, and a temporal range. 

5. (Rejected) The method of claim 1, wherein the definable parameters of the 
search editor view specify one or more of a plurality of search criteria, the search 
criteria comprising: 

an email source, 
an email destination, 
an email carbon copy, 
an email subject, and 
message keywords. 



6-21. (Cancelled) 
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22. (Withdrawn) A capture system comprising: 

a packet capture module to extract data packets from a data stream; 

an object assembly module to reconstruct a flow of at least one object from 
the extracted data packets; 

an object classification module to classify the at least one object and to 
deconstruct the flow into at least one object; 

an object store module to store the at least one object; and 

a graphical user interface (GUI) module to provide a GUI including a search 
view to allow for the authoring, editing, scheduling, and viewing of searches of 
stored tags. 

23. (Withdrawn) A method comprising: 
capturing data packets from a data stream; 

reconstructing said data packets into a copy of an original object; 
determining if the copy of the original object should be stored based on a 
capture rule; 

generating a tag for the copy of the original object; 

storing the copy of the original object and the tag if it is determined that the 
copy of the original object should be stored based on the capture rule; 

discarding the copy of the original object if it is determined that the copy of 
the original object should not be stored based on the capture rule; and 

generating a graphical user interface (GUI), the GUI including a search view to 
allow for the authoring, editing, scheduling, and viewing of searches of stored tags. 
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24. (Withdrawn) The method of claim 23, further comprising: 

discarding the tag if it is determined that the copy of the original object should 
not be stored based on the capture rule. 

25. (Rejected) The method of claim 1, wherein the search is of tags of stored 
objects. 

26. (Cancelled) 

27. (Rejected) A computer readable medium having stored thereon data 
representing instructions that, when executed by a processor, cause the processor to 
perform operations comprising: 

presenting a graphical user interface (GUI) for a capture system, wherein the 
GUI comprises one or more views including: 

a search editor view to enable parameters of a search of tags of objects 
captured by the capture system to be defined, the capture system configured 
to intercept data from data streams, reconstruct network transmitted objects, 
and store network transmitted objects according to a capture rule that defines 
which objects are to be captured by the capture system, wherein each tag is 
associated with at least one captured object and includes relevant information 
that describes the at least one object, and wherein the capture rule is part of 
a default rule set for the capture system configured to monitor network 
traffic and capture the at least one object, and wherein the capture system 
is configured to store a document captured by the capture system according 
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to the capture rule, which identifies a first internet protocol (IP) address from 
which the document was sent and a second IP address associated with an 
intended destination of the document, and wherein after an initial search is 
generated it is scheduled to occur on a periodic basis such that a report is 
automatically sent to a network address of an author of the initial search; and 
a capture rule view to enable parameters of the capture rule to be 
defined. 

28. (Rejected) The computer readable medium of claim 27, wherein the 
parameters definable through the search editor view include both indexed and non- 
indexed search criteria. 

29. (Rejected) The computer readable medium of claim 27, wherein the definable 
search editor view parameters include one or more of a plurality of search criteria, 
the search criteria comprising: 

a content type, 
a protocol, 
a keyword, and 
a word pattern. 

30. (Rejected) The computer readable medium of claim 29, wherein the search 
criteria further include a source address, a destination address, a size range, and a 
temporal range. 
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31. (Rejected) The computer readable medium of claim 27, wherein the definable 
parameters of the search editor view specify one or more of a plurality of search 
criteria, the search criteria comprising: 

an email source, 
an email destination, 
an email carbon copy, 
an email subject, and 
message keywords. 

32. (Rejected) The computer readable medium of claim 27, wherein the search is 
of tags of stored objects. 

33. (Rejected) The method of claim 1, wherein the relevant information that 
describes the at least one object includes one or more of a plurality of fields, the 
fields comprising: 

a protocol, 

an instance, 

a content type, 

an encoding, 

a capture rule, 

an object signature, and 

a tag signature. 



34. (Cancelled) 
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IX. EVIDENCE APPENDIX 

Appellants are not submitting any evidence at this time. 
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X. RELATED PROCEEDINGS APPENDIX 

There are no related proceedings to this action. 



